Gmail mobile gets end‑to‑end encryption

End-to-end encryption is email that only the sender and recipient can unlock, using keys the provider cannot read. Google said on April 9 that Gmail now supports that model inside its Android and iOS apps for eligible Google Workspace customers. (workspace.googleblog.com) The mobile rollout lets users compose and read encrypted messages directly in the Gmail app instead of switching to a separate portal or add-on. Google said the feature is available now on both rapid-release and scheduled-release domains. (workspace.googleblog.com) Google’s system is built on client-side encryption, which means the customer controls the top-level encryption keys and Google’s servers cannot decrypt the content. Google says organizations can use an external key service or, for some Gmail setups, hardware keys. (support.google.com 1) (support.google.com 2) The change closes a gap in Gmail’s encrypted email rollout. Google introduced easier end-to-end encrypted sending on the web in April 2025, first for Gmail users in the same organization, then planned expansion to any Gmail inbox and later any email inbox. (workspace.google.com) Google now says licensed users can send an encrypted message to any recipient, regardless of email address. If the recipient uses the Gmail app, the message appears as a normal thread; if not, Google says the recipient can read and reply in a browser. (workspace.googleblog.com) This is not a feature for every Gmail account. Google lists mobile Gmail end-to-end encryption under Google Workspace Enterprise Plus with the Assured Controls or Assured Controls Plus add-on, and its client-side encryption documentation also lists Frontline Plus, Education Standard, and Education Plus for client-side encryption more broadly. (workspace.googleblog.com) (support.google.com) Google is pitching the feature to organizations that handle regulated or sensitive information, including healthcare records, financial data, and intellectual property. In its documentation, the company says client-side encryption is meant to help with privacy, compliance, and data-sovereignty requirements. (support.google.com) (workspace.google.com) The catch is that “end-to-end” in email still depends on who controls the keys and how the recipient accesses the message. Google says administrators must enable Android and iOS clients in the client-side encryption admin interface before users can turn on the extra lock option in Gmail. (workspace.googleblog.com) (support.google.com) For companies already paying for Google Workspace security tools, the update means encrypted email no longer stops at the desktop. The main change is practical: staff can now send and read those locked messages from the same Gmail app they already use on their phones. (workspace.googleblog.com)